didericis/bot-bottle
1
0
Fork 0
Code Issues 5 Pull Requests 3 Actions Packages Projects Releases Wiki Activity

fix(egress): skip token slots for unauth provider routes
test / unit (pull_request) Successful in 30s
Details
test / integration (pull_request) Successful in 43s
Details

Browse Source
This commit is contained in:
didericis (codex)
2026-06-02 03:06:10 +00:00
parent eb6bace84f
commit d6ebd0d2eb
4 changed files with 43 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
bot_bottle/agent_provider.py
+4
View File
@@ -154,9 +154,13 @@ def agent_provision_plan(
dirs.append(AgentProvisionDir(auth_dir)) dirs.append(AgentProvisionDir(auth_dir))
config_path = f"{auth_dir}/config.toml" config_path = f"{auth_dir}/config.toml"
config_file = state_dir / "codex-config.toml" config_file = state_dir / "codex-config.toml"
workspace = f"{guest_home}/workspace"
config_file.write_text( config_file.write_text(
f'[projects."{guest_home}"]\n' f'[projects."{guest_home}"]\n'
'trust_level = "trusted"\n' 'trust_level = "trusted"\n'
"\n"
f'[projects."{workspace}"]\n'
'trust_level = "trusted"\n'
) )
config_file.chmod(0o600) config_file.chmod(0o600)
files.append(AgentProvisionFile(config_file, config_path)) files.append(AgentProvisionFile(config_file, config_path))
bot_bottle/egress.py
+13 -3
View File
@@ -201,6 +201,8 @@ def egress_routes_for_bottle(
def _find_or_alloc_token_env(routes: list[EgressRoute], token_ref: str) -> str: def _find_or_alloc_token_env(routes: list[EgressRoute], token_ref: str) -> str:
"""Return the existing token_env slot for `token_ref`, or allocate the next one.""" """Return the existing token_env slot for `token_ref`, or allocate the next one."""
if not token_ref:
return ""
for route in routes: for route in routes:
if route.token_ref == token_ref and route.token_env: if route.token_ref == token_ref and route.token_env:
return route.token_env return route.token_env
@@ -239,7 +241,11 @@ def _merge_provider_route(
f"ref). Remove the manifest route's auth block or disable the " f"ref). Remove the manifest route's auth block or disable the "
f"feature that adds this provider route." f"feature that adds this provider route."
) )
token_env = _find_or_alloc_token_env(routes, pr.token_ref) token_env = (
_find_or_alloc_token_env(routes, pr.token_ref)
if pr.auth_scheme and pr.token_ref
else ""
)
routes[idx] = EgressRoute( routes[idx] = EgressRoute(
host=route.host, host=route.host,
path_allowlist=route.path_allowlist, path_allowlist=route.path_allowlist,
@@ -250,7 +256,11 @@ def _merge_provider_route(
tls_passthrough=pr.tls_passthrough, tls_passthrough=pr.tls_passthrough,
) )
return routes return routes
token_env = _find_or_alloc_token_env(routes, pr.token_ref) token_env = (
_find_or_alloc_token_env(routes, pr.token_ref)
if pr.auth_scheme and pr.token_ref
else ""
)
routes.append(EgressRoute( routes.append(EgressRoute(
host=pr.host, host=pr.host,
auth_scheme=pr.auth_scheme, auth_scheme=pr.auth_scheme,
@@ -273,7 +283,7 @@ def egress_token_env_map(
silently picking one.""" silently picking one."""
out: dict[str, str] = {} out: dict[str, str] = {}
for r in routes: for r in routes:
if not r.token_env: if not (r.auth_scheme and r.token_ref and r.token_env):
continue continue
existing = out.get(r.token_env) existing = out.get(r.token_env)
if existing is not None and existing != r.token_ref: if existing is not None and existing != r.token_ref:
tests/unit/test_agent_provider.py
+4
View File
@@ -31,6 +31,7 @@ class TestAgentProviderRuntime(unittest.TestCase):
dockerfile="/tmp/Dockerfile.codex", dockerfile="/tmp/Dockerfile.codex",
state_dir=Path(tmp), state_dir=Path(tmp),
) )
config = (Path(tmp) / "codex-config.toml").read_text()
self.assertEqual("codex", plan.template) self.assertEqual("codex", plan.template)
self.assertEqual("codex", plan.command) self.assertEqual("codex", plan.command)
self.assertEqual("read_prompt_file", plan.prompt_mode) self.assertEqual("read_prompt_file", plan.prompt_mode)
@@ -45,6 +46,9 @@ class TestAgentProviderRuntime(unittest.TestCase):
("/home/node/.codex/config.toml",), ("/home/node/.codex/config.toml",),
tuple(f.guest_path for f in plan.files), tuple(f.guest_path for f in plan.files),
) )
self.assertIn('[projects."/home/node"]', config)
self.assertIn('[projects."/home/node/workspace"]', config)
self.assertEqual(2, config.count('trust_level = "trusted"'))
def test_codex_forward_host_credentials_adds_auth_and_verify(self): def test_codex_forward_host_credentials_adds_auth_and_verify(self):
with tempfile.TemporaryDirectory(prefix="bb-provider.") as tmp: with tempfile.TemporaryDirectory(prefix="bb-provider.") as tmp:
tests/unit/test_egress.py
+22
View File
@@ -145,6 +145,28 @@ class TestProviderRouteMerge(unittest.TestCase):
self.assertEqual("EGRESS_TOKEN_0", routes[0].token_env) self.assertEqual("EGRESS_TOKEN_0", routes[0].token_env)
self.assertEqual("TOK", routes[0].token_ref) self.assertEqual("TOK", routes[0].token_ref)
def test_unauthenticated_provider_route_appends_without_token_slot(self):
b = _bottle([])
pr = EgressRoute(host="api.openai.com", tls_passthrough=True)
routes = egress_routes_for_bottle(b, (pr,))
self.assertEqual(1, len(routes))
self.assertEqual("api.openai.com", routes[0].host)
self.assertEqual("", routes[0].auth_scheme)
self.assertEqual("", routes[0].token_env)
self.assertEqual("", routes[0].token_ref)
self.assertEqual({}, egress_token_env_map(routes))
def test_unauthenticated_provider_route_upgrades_bare_without_token_slot(self):
b = _bottle([{"host": "api.openai.com"}])
pr = EgressRoute(host="api.openai.com", tls_passthrough=True)
routes = egress_routes_for_bottle(b, (pr,))
self.assertEqual(1, len(routes))
self.assertEqual("", routes[0].auth_scheme)
self.assertEqual("", routes[0].token_env)
self.assertEqual("", routes[0].token_ref)
self.assertTrue(routes[0].tls_passthrough)
self.assertEqual({}, egress_token_env_map(routes))
def test_two_provider_routes_with_same_token_ref_share_slot(self): def test_two_provider_routes_with_same_token_ref_share_slot(self):
b = _bottle([]) b = _bottle([])
routes = egress_routes_for_bottle(b, ( routes = egress_routes_for_bottle(b, (